[Samba] Upgraded samba, mostly still works, but have one issue
Hello list,
I recently upgraded an Ubuntu 8.04 LTS samba server to 10.04 LTS which
took the installed version of samba from version 3.0.28a to version
3.4.7. The server is an AD member using idmap-rid. I have updated the
idmap directives in the config and it mostly worked (winbind works,
Windows users can get to their shares with their correct permissions,
etc.). The only thing that got broken is the ability of our IP security
cameras to store data directly to the server through samba. I believe
this may have been caused by a change to a default setting, such as the
allowed authentication methods or possibly something like 'allow trusted
domains', since these cameras are not capable of actually joining the
domain. I've looked at some of the in-between release notes but no
changes have jumped out at me.
The cameras are configured to connect to the given smb/cifs server and
share (which exists and can be mapped from Windows if you use the right
user). The share ('camshare') has share-level permissions set such that
DOMAIN\camera should have full access. I have winbind set to use the
default domain so the cameras are configured to connect as 'camera'
instead of 'DOMAIN\camera' (but I've tried both anyway, to no avail). I
have checked the password on the 'camera' account repeatedly.
However you can see that something isn't right when the cameras try to
mount the share:
root@server:~# tail -f /var/log/samba/log.smbd | grep camera
check_ntlm_password: Authentication for user [camera] - [camera]
FAILED with error NT_STATUS_NO_SUCH_USER
check_ntlm_password: Authentication for user [camera] - [camera]
FAILED with error NT_STATUS_NO_SUCH_USER
check_ntlm_password: Authentication for user [camera] - [camera]
FAILED with error NT_STATUS_NO_SUCH_USER
If I use that username with the password when mapping the share from
Win7, it works and the correct permissions are there.
Here is the smb.conf:
[global]
server string = File Server
workgroup = DOMAIN
realm = DOMAIN.COM
security = ADS
password server = *
#password server = dc1.domain.com
username map = /etc/samba/smbusers
obey pam restrictions = Yes
enable privileges = Yes
map to guest = Bad User
client NTLMv2 auth = Yes
log level = 2, vfs:1
syslog = 0
max log size = 0
load printers = No
preferred master = No
local master = No
domain master = No
dns proxy = No
disable netbios = yes
ldap ssl = no
host msdfs = No
template shell = /bin/false
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
idmap backend = tdb
idmap uid = 10-19
idmap gid = 10-19
idmap config DOMAIN:backend = rid
idmap config DOMAIN:range = 10 - 50
idmap config DOMAIN:default = yes
hosts allow = 10.0.1.0/255.255.255.0 10.1.1.0/255.255.255.0
10.2.0.0/255.255.255.0 10.0.8.0/255.255.255.0 10.1.8.0/255.255.255.0
10.2.8.0/255.255.255.0 172.10.0.0/255.255.255.0 172.11.0.0/255.255.255.0
map acl inherit = No
hide special files = Yes
map archive = No
map readonly = No
map system = No
map hidden = No
force create mode = 707
force directory mode = 707
ea support = No
store dos attributes = No
wide links = No
follow symlinks = No
dos filemode = No
add share command=/etc/samba/command.pl
delete share command=/etc/samba/command.pl
change share command=/etc/samba/command.pl
[camshare]
comment = Camera data share
path = /home/camshare
read only = No
writeable = Yes
inherit owner = Yes
guest ok = No
[mainshare]
comment = Main Fileshare
path = /home/mainshare
read only = No
writeable = Yes
inherit owner = Yes
guest ok = Yes
vfs objects = recycle extd_audit
recycle:repository = Recycle Bin
recycle:directory_mode = 707
recycle:keeptree = yes
recycle:versions = no
recycle:touch = yes
recycle:touch_mtime = no
recycle:maxsize = 209715200
recycle:exclude = *.tmp *.temp ~$* *.~??
I've left off some other shares that don't seem relevant.
I can provide other info and or more logs if needed. Thanks in advance
for any assistance you may be able to provide.
Thank you,
Mark
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Upgraded samba, mostly still works, but have one issue
On 12/12/2011 10:14 AM, Mark Casey wrote:
Hello list,
I recently upgraded an Ubuntu 8.04 LTS samba server to 10.04 LTS which
took the installed version of samba from version 3.0.28a to version
3.4.7. The server is an AD member using idmap-rid. I have updated the
idmap directives in the config and it mostly worked (winbind works,
Windows users can get to their shares with their correct permissions,
etc.). The only thing that got broken is the ability of our IP
security cameras to store data directly to the server through samba. I
believe this may have been caused by a change to a default setting,
such as the allowed authentication methods or possibly something like
'allow trusted domains', since these cameras are not capable of
actually joining the domain. I've looked at some of the in-between
release notes but no changes have jumped out at me.
The cameras are configured to connect to the given smb/cifs server and
share (which exists and can be mapped from Windows if you use the
right user). The share ('camshare') has share-level permissions set
such that DOMAIN\camera should have full access. I have winbind set to
use the default domain so the cameras are configured to connect as
'camera' instead of 'DOMAIN\camera' (but I've tried both anyway, to no
avail). I have checked the password on the 'camera' account repeatedly.
However you can see that something isn't right when the cameras try to
mount the share:
root@server:~# tail -f /var/log/samba/log.smbd | grep camera
check_ntlm_password: Authentication for user [camera] - [camera]
FAILED with error NT_STATUS_NO_SUCH_USER
check_ntlm_password: Authentication for user [camera] - [camera]
FAILED with error NT_STATUS_NO_SUCH_USER
check_ntlm_password: Authentication for user [camera] - [camera]
FAILED with error NT_STATUS_NO_SUCH_USER
If I use that username with the password when mapping the share from
Win7, it works and the correct permissions are there.
Here is the smb.conf:
[global]
server string = File Server
workgroup = DOMAIN
realm = DOMAIN.COM
security = ADS
password server = *
#password server = dc1.domain.com
username map = /etc/samba/smbusers
obey pam restrictions = Yes
enable privileges = Yes
map to guest = Bad User
client NTLMv2 auth = Yes
log level = 2, vfs:1
syslog = 0
max log size = 0
load printers = No
preferred master = No
local master = No
domain master = No
dns proxy = No
disable netbios = yes
ldap ssl = no
host msdfs = No
template shell = /bin/false
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
idmap backend = tdb
idmap uid = 10-19
idmap gid = 10-19
idmap config DOMAIN:backend = rid
idmap config DOMAIN:range = 10 - 50
idmap config DOMAIN:default = yes
hosts allow = 10.0.1.0/255.255.255.0 10.1.1.0/255.255.255.0
10.2.0.0/255.255.255.0 10.0.8.0/255.255.255.0 10.1.8.0/255.255.255.0
10.2.8.0/255.255.255.0 172.10.0.0/255.255.255.0 172.11.0.0/255.255.255.0
map acl inherit = No
hide special files = Yes
map archive = No
map readonly = No
map system = No
map hidden = No
force create mode = 707
force directory mode = 707
ea support = No
store dos attributes = No
wide links = No
follow symlinks = No
dos filemode = No
add share command=/etc/samba/command.pl
delete share command=/etc/samba/command.pl
change share command=/etc/samba/command.pl
[camshare]
comment = Camera data share
path = /home/camshare
read only = No
writeable = Yes
inherit owner = Yes
guest ok = No
[mainshare]
comment = Main Fileshare
path = /home/mainshare
read only = No
writeable = Yes
inherit owner = Yes
guest ok = Yes
vfs objects = recycle extd_audit
recycle:repository = Recycle Bin
recycle:directory_mode = 707
recycle:keeptree = yes
recycle:versions = no
recycle:touch = yes
recycle:touch_mtime = no
recycle:maxsize = 209715200
recycle:exclude = *.tmp *.temp ~$* *.~??
I've left off some other shares that don't seem relevant.
I can provide other info and or more logs if needed. Thanks in advance
for any assistance you may be able to provide.
Thank you,
Mark
Mark,
Try adding the parameter map untrusted to domain = Yes
map untrusted to domain (G)
If a client connects to smbd using an untrusted domain name, such as
BOGUS\user, smbd replaces the BOGUS domain with it's SAM name before
attempting to authenticate that user. In the case where smbd is
acting as a PDC
Re: [Samba] Upgraded samba, mostly still works, but have one issue
On 12/12/2011 1:25 PM, Mark Casey wrote:
Dale,
That fixed it. Thanks very much for your time in looking at this
issue! That leads to another question though. I don't get why 'winbind
use default domain' did not cover the issue, since I have it set to
yes. I assumed I could leave off the DOMAIN\ portion and it would
add it for me...but more specifically, even using DOMAIN\camera
wouldn't work. I should clarify though that nowhere in my config am I
actually typing DOMAIN\; I'm only swapping that in on the mailing
list as a redaction. When I tried the fully qualified user account in
the IP camera's config the domain matched the one that this samba
server is joined to.
I did note this part in smb.conf's man page about 'winbind use default
domain':
*While this does not benifit Windows users, it makes SSH, FTP and
e-mail function in a way much closer to the way they would in a native
unix system.*
This would all make more sense if that line means that 'winbind use
default domain' excludes not only Windows users but *all* smb/cifs
authentication attempts. Then, it wouldn't apply the the IP cameras at
all. However even if that were the case I still can't explain the
failure when I tried the user DOMAIN\camera.
Would you (or anyone) be able to provide any insight? Regardless,
thanks again for your help thus far as I can now get this out of the
urgent section of my list!
Thank you,
Mark
I don't know that I can explain it sufficiently, but I'll try.
Essentially, map untrusted to domain was a new parameter to make Samba
perform as it did prior to 3.4. winbind use default name refers to
something completely different. As the man page indicates, I can ssh
into the system as valid_user instead of DOMAIN\valid_user. This
applies to a valid user on a domain host. On the other hand, since the
cameras are not able to join the domain, the new parameter maps
HOSTNAME\camera to DOMAIN\camera.
Others have explained winbind use default domain this way:
http://wiki.samba.org/index.php/Samba__Active_Directory
|winbind use default domain = Yes| removes the domain prefix from
usernames, so you can login as /Username/ instead of /DOMAIN\Username/
or in some cases /DOMAIN+Username/ (see next explanation).
http://www.justlinux.com/forum/archive/index.php/t-118512.html
This winbind parameter eliminates the need to use the domain name with
the user/group name. The domain name plus the separator will
automatically be prepended to the user name.
Not perfect, but I hope it helps.
Dale
On 12/12/2011 12:23 PM, Dale Schroeder wrote:
On 12/12/2011 10:14 AM, Mark Casey wrote:
Hello list,
I recently upgraded an Ubuntu 8.04 LTS samba server to 10.04 LTS
which took the installed version of samba from version 3.0.28a to
version 3.4.7. The server is an AD member using idmap-rid. I have
updated the idmap directives in the config and it mostly worked
(winbind works, Windows users can get to their shares with their
correct permissions, etc.). The only thing that got broken is the
ability of our IP security cameras to store data directly to the
server through samba. I believe this may have been caused by a
change to a default setting, such as the allowed authentication
methods or possibly something like 'allow trusted domains', since
these cameras are not capable of actually joining the domain. I've
looked at some of the in-between release notes but no changes have
jumped out at me.
The cameras are configured to connect to the given smb/cifs server
and share (which exists and can be mapped from Windows if you use
the right user). The share ('camshare') has share-level permissions
set such that DOMAIN\camera should have full access. I have winbind
set to use the default domain so the cameras are configured to
connect as 'camera' instead of 'DOMAIN\camera' (but I've tried both
anyway, to no avail). I have checked the password on the 'camera'
account repeatedly.
However you can see that something isn't right when the cameras try
to mount the share:
root@server:~# tail -f /var/log/samba/log.smbd | grep camera
check_ntlm_password: Authentication for user [camera] -
[camera] FAILED with error NT_STATUS_NO_SUCH_USER
check_ntlm_password: Authentication for user [camera] -
[camera] FAILED with error NT_STATUS_NO_SUCH_USER
check_ntlm_password: Authentication for user [camera] -
[camera] FAILED with error NT_STATUS_NO_SUCH_USER
If I use that username with the password when mapping the share from
Win7, it works and the correct permissions are there.
Here is the smb.conf:
[global]
server string = File Server
workgroup = DOMAIN
realm = DOMAIN.COM
security = ADS
password server = *
#password server = dc1.domain.com
username map = /etc/samba/smbusers
obey pam restrictions = Yes
enable privileges = Yes
map to guest = Bad User
client NTLMv2 auth = Yes
log level = 2, vfs:1
